With the rapid development and wide application of Information and Communication Technology (ICT), it is urgent as well as challenging for all countries to mitigate threats, maintain stability and improve security in cyberspace. As one of the most advanced actors in the international digital world, the EU has made enormous efforts and achieved astonishing progress in this regard by establishing a comprehensive and systematic cyber strategy. Compared with other global actors, such as the United States, the EU has explored a different approach to address cybersecurity concerns.

Lyu Jinghua
Lyu Jinghua is a visiting scholar with Carnegie’s Cyber Policy Initiative. Her research focuses primarily on cybersecurity and China-U.S. defense relations.
More >

Firstly, the final goal is to establish a digital single market. So far, the fragmented digital markets in the European Union have played a negative role in enhancing the level of digitalization. Secondly, the primary method used to achieve the single digital market is institutionalization across the EU. Together with the Cybersecurity Act, the institutionalized coordination mechanisms are comprised of three levels: Computer Security Incident Response Teams (CSIRT) and competent national NIS authorities at the national level in each country; an EU Agency for Cybersecurity-European Union Agency for Network and Information and Security (ENISA). Thirdly, the primary mission is to promote the core values of the EU. While the promotion of core values is also a component of US cyber strategy, it is mainly viewed as a tool to maintain cyber superiority.

Since every country has to find the most appropriate method, suited to its own national interests, the EU is setting a new model for others to learn from. However, such an approach has some setbacks that lead to uncertainties as well. 

To foster the productive collaboration in cybersecurity that is a core interest to every nation, the EU has to maintain a balance between not eroding individual national interests and meeting EU-wide security requirements. Furthermore, although coordination is the key to a successful cyber strategy, its implementation still depends on the willingness of individual states. There is a long way to go not only because this is a tricky and unstable equilibrium to achieve but also due to the vast gaps of cyber capabilities among member states. 

Another major challenge is the relatively small number and scale of European digital enterprises. Though the EU enjoys robust technology development and research resources, most of its ICT products and services are dependent on foreign companies. This means that as the EU chooses to allow the private sector to play an important role, it will either face more difficulties or allow foreign companies to be dominant in its market. Whether by addressing cybersecurity in a broader sense or focusing on assurances in specific areas, the relative weakness of the EU's capabilities will hinder its further development. 

Aside from enhancing its strength, international cooperation with foreign governments, enterprises and multi-national organizations is one way to address this issue. At this level, the recently published Cybersecurity Act will have implications, at least to some extent, on EU-China relations in cyberspace and on Chinese investments in Europe. 

Although there is no official response in China regarding the EU legislation on cybersecurity strategy, a couple of basic common understandings can be drawn from China’s mass media and academic discussion. 

On the one hand, as mentioned before, the EU has explored a new approach to improve cybersecurity from which China can learn a lot. Most Chinese scholars give a positive evaluation of EU cyber strategy, which is entirely different from that adopted by the United States. Generally speaking, they believe the EU cyber strategy aims to address security by establishing rules of the road in cyber governance via a more inclusive multi-stakeholder framework, and focusing more on personal rights protection rather than building arms and hard power and placing more emphasis on the government's role and national interests. The issue of the Cyber Security Act, therefore, is mostly viewed as another effort to explore the EU way of enhancing cybersecurity through building a stronger basis for a certification framework and fostering institutionalization for further integration and collaboration. In addition, there has been a lot of research conducted in China that compared the General Data Protection Regulation (GDPR) with China’s Cyber Security Law, which aimed at finding lessons from which China could learn in order to improve its regulations regarding the protection of personal information. 

On the other hand, there are widespread concerns regarding how stricter standards set up by the EU could impact China’s digital investment in Europe. It is well recognized that, in the long run, a common standard within the EU could lead to decreased costs for foreign companies since they will need to take measures to meet only one requirement rather than various member states’ requirements. However, a greater element of concern is whether some of China's Internet companies will be faced with more restrictions and therefore bear more costs than expected. In particular, as some European countries are under enormous pressure from the United States to ban Huawei from their markets, there are concerns that the Cybersecurity Act was adopted by the European Parliament to counter Chinese IT threats. Chinese analysts are now closely monitoring whether the Act, as well as any other step taken by the EU, will lead to limiting markets open to the Chinese IT industry. 

However, there is a shared belief among Chinese observers that in order for the EU to continue to play a prominent and significant role in the digital world, it would need not only to continue its approach and to work together with the US, but also to adopt innovative ways to create space for more cooperation with other countries like China, although this will be a test for EU decision-makers.

This article was originally published by ISPI Online.